[Bug 1898547] Re: neutron-linuxbridge-agent fails to start with iptables 1.8.5

Albert Damen 1898547 at bugs.launchpad.net
Wed Oct 21 16:24:52 UTC 2020 

This issue was fixed in iptables git master commit
dac904bdcd9a18aabafee7275ccf0c2bd53800f3

I guess the actual fix may have been "iptables-nft: fix basechain policy
configuration", commit 0bd7a8eaf3582159490ab355b1217a4e42ed021f

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to neutron in Ubuntu.
https://bugs.launchpad.net/bugs/1898547

Title:
  neutron-linuxbridge-agent fails to start with iptables 1.8.5

Status in neutron package in Ubuntu:
  Invalid

Bug description:
  Ubuntu Groovy (20.10)
  kernel 5.8.0-20-generic
  neutron-linuxbridge-agent: 2:17.0.0~git2020091014.215a541bd4-0ubuntu1
  iptables: 1.8.5-3ubuntu1 (nf_tables)
  iptables-restore points to xtables-nft-multi

  After upgrading iptables from 1.8.4 to 1.8.5 and rebooting the neutron network node, neutron-linuxbridge-agent didn't properly start anymore.
  The log file shows many errors like:

  2020-10-05 10:20:37.998 551 ERROR
  neutron.plugins.ml2.drivers.agent._common_agent ; Stdout: ; Stderr:
  iptables-restore: line 29 failed

  Downgrading iptables to 1.8.4 solves the problem.

  Trying to do what the linuxbridge agent does:
  2020-10-05 10:20:37.998 551 ERROR neutron.plugins.ml2.drivers.agent._common_agent *filter
  2020-10-05 10:20:37.998 551 ERROR neutron.plugins.ml2.drivers.agent._common_agent :FORWARD - [0:0]

  shows that

  iptables-restore <<EOF
  *filter
  :INPUT - [0:0]
  COMMIT
  EOF

  works fine with iptables 1.8.4 but fails with 1.8.5

  
  Workaround

  It seems neutron-linuxbridge agent tries to create the default chains (like INPUT) with a "-" as policy. By making sure the chains already exist (and are shown with iptables-save) the agent doesn't try to create those default chains and the agent starts fine.
  So just running:
  sudo iptables -F OUTPUT
  sudo iptables -F OUTPUT -t raw
  sudo ip6tables -F OUTPUT
  sudo ip6tables -F OUTPUT -t raw

  is enough to get neutron-linuxbridge-agent working with iptables
  1.8.5.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/neutron/+bug/1898547/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list